These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for SORBS now blocking servers with webmin installed on the new forum.
Web Hosting and Cloud Computing Control Panels
I can't find any reference to this new policy on the SORBS site or in a Google search, and none of my mail servers show up in a SORBS database search (and obviously all of them run Webmin, on port 10000). Could you email me a link to the full error report on the host?
--
Check out the forum guidelines!
http://www.us.sorbs.net/lookup.shtml?78.47.67.145
All I see is that the record was created way back last June, and, this comment:
"Currently inactive and not flagged to be published in DNS."
So, haven't you been on their list for 8 months?
It says your server is exploitable. It doesn't say due to webmin. How do you know that? Where do you see the port 10000 message, I do not see it going to your link?
I do see this note on a site, makes me wonder....
"This is the kiddies looking for hosts running Webmin on Usermin. There is a vuln from June 30 2006 (BID 18744; CVE-2006-3392) which allows an attacker to request an arbitrary file from the remote host without authenticating to webmin. The mass auto-rooters that I've captured for this vuln request /etc/shadow, and then send the file via email to a yahoo account by default. There was also a Metasploit module published recently for the vuln. There is also a format string bug and integar overflow in Webmin, but there are no public sploits for them (CANVAS has one). Versions of Webmin older than 1.290 are effected by BID 18744, as well as versions of Usermin older than 1.220. If you're running Webmin or Usermin, take a look at your miniserv.log (/var/log/webmin/miniserv.log). You should see a great deal of requests for /etc/shadow. Usermin also runs on port 20000. Look for a directory called w, and/or a file called pscan2. Both these were used in the auto-rooters I was able to capture."
So, are you using older version?
It is also used by OpwinTRojan
Certainly, contact Sorbs and ask for more info. Also, realize Sorbs doesn't scan your host, UNLESS, you send mail to a sorbs host. So, this means mail did go from your server to a sorbs host of some sort at some time.
Of course, you can also change your webmin port.
They just cleared 78.47.67.145 -- they cleared all the ones they said 10000 were likely backdoors after I royally bitched them out for being stupid idiots.
*likely* does not mean it is.......
Excellent! I never had any of mine added, been running webmn for at least 3-4 years. But, I always used SSL and I always changed the port from 10000 as well.
Maybe they won't do any more then. At least we hope!